The role of technology in the Sarbanes-Oxley Act compliance - Connectivity

Computer Technology Review, Oct, 2003 by Sagar Anisingaraju

The Sarbanes-Oxley Act and subsequent rulemaking commenced by the SEC is effecting far-reaching changes in corporate government, financial statement disclosure and auditor independence. Specifically with sections 302 and 404, companies need a repeatable and persuasive basis for their disclosures on the status of internal control environment. External auditors of corporations must also provide an annual opinion on the reliability of the control representations made by the companies.

While the compliance activity appears to be a financial and audit issue and not a systems issue, it is important to understand the role that technology plays in achieving sustainable compliance. After all, the essence of the Act is all about ensuring that internal controls are in place to create and document information for financial disclosures. And which organization today does not depend on technology to create, modify and manage information?

The key activities in preparing for SOX compliance:

Documentation involves putting together all the procedures, policies, risk areas, controls and objectives in a systematic and structured way. The process and control documents should be accessible to relevant employees across the organization.

Monitoring of the control environment includes verifying systemic controls within the financial systems and the associated actions for remediation of any control violations.

Internal Control Assessments is a process by which management assesses the health of the controls across the organizations for each of entities and processes.

Measurement of control health is an ongoing process by which management benchmarks their progress and identifies laggards.

Communication is underlying glue across all activities of the compliance system. Management, Audit Committee, Audit teams and Process owners are all connected to achieve the corporate compliance goals.

Reporting is the activity under which relevant compliance reports are published for assisting in attestation.

We can now identify the key role that technology plays in each of the above activities:

Documentation: Organizations need a centralized system to document their internal control environment. Policy documents, process flows, organizational objectives, risk identification on these objectives and the controls planned need to be well documented under a secure and auditable environment. Management and Process/ Control owners across the organization should have anytime and anywhere access to these documentation elements. Technology solutions exist to centrally create and manage digital documents allowing worldwide access via the corporate intranets with a single authentication and access control security.

Monitoring: Monitoring of controls is required at entity and process levels. Management designs entity-level monitoring to implement controls for each of the identified processes. Process owners or Control owners evaluate the effectiveness of the controls. Best practices suggest that internal control and data integrity check points must be embedded into the financial systems. However an external monitoring system should be in place to assess these system level controls. This is accomplished by integrating the monitoring system with specific event based controls within the financial IT systems. Depending on the technology used in the financial systems, the integration is done either as an event based programming interface at the transaction level or as an analytical integration with the reporting system. Application Programming Interfaces offered by the Financial Systems vendors, Connectors and XML are some of the key technologies used here.

Internal Control Assessments:

For management to assert the internal controls, assessment and evaluation of design and operational effectiveness is required. Management and audit teams plan the assessments, but individual process owners provide the actual assessments. Strong IT tools are thus required to design and program the assessment questionnaires and to conduct periodic programs to capture the assessments from distributed functional owners within the enterprise. Integration with internal HR systems, LDAP databases, corporate email systems are some of the key technologies used during this activity.

Measurements: A unified measurement system is pivotal in evaluating the controls. The measurement system should facilitate in aggregating the health of the controls across each of the entities and processes. Under COSO framework, the measurement system should provide means to measure the status of control information across Strategic, Financial & Compliance Objectives. The measurement system should also facilitate identification of laggards within the organization to implement changes for process optimization. The financial dashboards that the management reviews should show the overall maturity of the organization for corporate governance and should facilitate drilling down to individual processes and systems. Technology plays a key role again in this area. The measurement system of internal controls should seamlessly integrate with Corporate Performance Management tools, Scorecard systems and other analytical applications.